CVE-2022-0786
published 2022-06-13CVE-2022-0786: The KiviCare WordPress plugin before 2.3.9 does not sanitise and escape some parameters before using them in SQL statements via the ajax_post AJAX action with…
PriorityP180critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
11.48%
95.5th percentile
The KiviCare WordPress plugin before 2.3.9 does not sanitise and escape some parameters before using them in SQL statements via the ajax_post AJAX action with the get_doctor_details route, leading to SQL Injections exploitable by unauthenticated users
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| iqonic | kivicare | < 2.3.9 | 2.3.9 |
Detection & IOCsextracted from sources · hover to see the quote
sigma
status_code == 200 AND contains(content_type, "text/html") AND contains(body, "Doctor details")
- →Monitor unauthenticated POST requests targeting the WordPress admin-ajax.php endpoint with action=ajax_post and route=get_doctor_details for SQL injection payloads in parameters. ↗
- →A successful exploitation response will return HTTP 200 with content-type text/html and body containing the string 'Doctor details'; alert on this pattern in WAF/proxy logs.
- →The vulnerability is exploitable by unauthenticated users; no session cookie or authentication token is required, so filter for anonymous requests to admin-ajax.php matching the above action/route combination. ↗
- ·Vulnerability affects KiviCare WordPress plugin versions before 2.3.9 only; ensure version scope is confirmed before deploying detections to avoid false positives on patched installations. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-79q2-v554-rhr4: The KiviCare WordPress plugin before 2
ghsa_unreviewed·2022-06-14
CVE-2022-0786 [CRITICAL] CWE-89 GHSA-79q2-v554-rhr4: The KiviCare WordPress plugin before 2
The KiviCare WordPress plugin before 2.3.9 does not sanitise and escape some parameters before using them in SQL statements via the ajax_post AJAX action with the get_doctor_details route, leading to SQL Injections exploitable by unauthenticated users
VulnCheck
iqonic kivicare Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
vulncheck·2022·CVSS 9.8
CVE-2022-0786 [CRITICAL] iqonic kivicare Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
iqonic kivicare Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The KiviCare WordPress plugin before 2.3.9 does not sanitise and escape some parameters before using them in SQL statements via the ajax_post AJAX action with the get_doctor_details route, leading to SQL Injections exploitable by unauthenticated users
Affected: iqonic kivicare
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-13&host_type=src&vulnerability=cve-2022-0786; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-14&host_type=src&v
No detection rules found.
Nuclei
WordPress KiviCare <2.3.9 - SQL Injection
nuclei·CVSS 9.8
CVE-2022-0786 [CRITICAL] WordPress KiviCare <2.3.9 - SQL Injection
WordPress KiviCare =6'
- 'status_code == 200'
- 'contains(content_type, "text/html")'
- 'contains(body, "Doctor details")'
condition: and
# digest: 4b0a004830460221008baf616964d189064ed8fb3bb8769ba3e67e84f9834aa64557f3400e39b32cca022100a9f41b6fcc49c09a448142876900b3cf74d8babe04316c935390dd45ac449e1b:922c64590222798bb761d5b6d8e72950
2022-06-13
Published
Exploited in the wild